ESET CVE-2016-9892 Flaw Exposes Macs to Remote Code Execution

Another day, another vulnerability. Did you hear about the recently revealed remote code execution bug in all (except the latest) ESET Endpoint Antivirus 6 for macOS? The vulnerability in question has been identified as CVE-2016-9892.

The vulnerability was discovered and reported by Google Security Team researchers (Jason Geffner and Jan Bee). As to why it was there to be found in the first place – esets_daemon service was found to be statically linked to an outdated version of the POCO XML parser library.

CVE-2016-9892 explained by the security experts:

The esets_daemon service, which runs as root, is statically linked with an outdated version of the POCO XML parser library (https://pocoproject.org/) — version 1.4.6p1 from 2013-03-06. This version of POCO is based on Expat (http://expat.sourceforge.net/) version 2.0.1 from 2007-06-05, which has a publicly known XML parsing vulnerability (CVE-2016-0718) that allows for arbitrary code execution via malformed XML content.

Furthermore, “when ESET Endpoint Antivirus tries to activate its license, esets_daemon sends a request to https://edf.eset.com/edf. The esets_daemon service does not validate the web server’s certificate, so a man-in-the-middle can intercept the request and respond using a self-signed HTTPS certificate. The esets_daemon service parses the response as an XML document, thereby allowing the attacker to supply malformed content and exploit CVE-2016-0718 to achieve arbitrary code execution as root.”

Mitigation against CVE-2016-9892

CVE-2016-9892 has already been fixed. To do so, ESET has upgraded the POCO parsing library to the latest build.

The security vendor patched the bug in ESET Endpoint Antivirus version 6.4.168.0.

Google researchers advise users to log on from the product’s change here.